diff options
author | Will Deacon | 2020-12-15 11:15:38 -0600 |
---|---|---|
committer | Giuliano Procida | 2020-12-30 04:20:48 -0600 |
commit | 811618a9016c45b1f01ec5ff7f9624aae6495bc7 (patch) | |
tree | cae76e419ecca9a5e00e84ee9239e2b26b5fcbf9 /drivers/usb/gadget/function/f_accessory.c | |
parent | 03f232dcf8d411cd1b7fa6207018b706dbaf8229 (diff) | |
download | kernel-811618a9016c45b1f01ec5ff7f9624aae6495bc7.tar.gz kernel-811618a9016c45b1f01ec5ff7f9624aae6495bc7.tar.xz kernel-811618a9016c45b1f01ec5ff7f9624aae6495bc7.zip |
ANDROID: usb: f_accessory: Don't drop NULL reference in acc_disconnect()
If get_acc_dev() fails to obtain a reference to the current device,
acc_disconnect() will attempt to put_acc_dev() with the resulting NULL
pointer, leading to a crash:
| Unable to handle kernel NULL pointer dereference at virtual address 00000074
| [...]
| [<c0abb288>] (acc_disconnect) from [<c0a91a38>] (android_disconnect+0x1c/0x7c)
| [<c0a91a38>] (android_disconnect) from [<c0a93958>] (usb_gadget_udc_reset+0x10/0x34)
| [<c0a93958>] (usb_gadget_udc_reset) from [<c0a4a9c4>] (dwc3_gadget_reset_interrupt+0x88/0x4fc)
| [<c0a4a9c4>] (dwc3_gadget_reset_interrupt) from [<c0a491f8>] (dwc3_process_event_buf+0x60/0x3e4)
| [<c0a491f8>] (dwc3_process_event_buf) from [<c0a49180>] (dwc3_thread_interrupt+0x24/0x3c)
| [<c0a49180>] (dwc3_thread_interrupt) from [<c02b3404>] (irq_thread_fn+0x1c/0x58)
| [<c02b3404>] (irq_thread_fn) from [<c02b326c>] (irq_thread+0x1ec/0x2f4)
| [<c02b326c>] (irq_thread) from [<c0260804>] (kthread+0x1a8/0x1ac)
| [<c0260804>] (kthread) from [<c0200138>] (ret_from_fork+0x14/0x3c)
Follow the pattern used elsewhere, and return early if we fail to obtain
a reference.
Bug: 173789633
Reported-by: YongQin Liu <yongqin.liu@linaro.org>
Signed-off-by: Will Deacon <willdeacon@google.com>
Change-Id: I37a2bff5bc1b6b8269788d08191181763bf0e896
Signed-off-by: Giuliano Procida <gprocida@google.com>
Diffstat (limited to 'drivers/usb/gadget/function/f_accessory.c')
-rw-r--r-- | drivers/usb/gadget/function/f_accessory.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/drivers/usb/gadget/function/f_accessory.c b/drivers/usb/gadget/function/f_accessory.c index a2dc735a9438..a9bd90612986 100644 --- a/drivers/usb/gadget/function/f_accessory.c +++ b/drivers/usb/gadget/function/f_accessory.c | |||
@@ -1400,10 +1400,11 @@ void acc_disconnect(void) | |||
1400 | { | 1400 | { |
1401 | struct acc_dev *dev = get_acc_dev(); | 1401 | struct acc_dev *dev = get_acc_dev(); |
1402 | 1402 | ||
1403 | /* unregister all HID devices if USB is disconnected */ | 1403 | if (!dev) |
1404 | if (dev) | 1404 | return; |
1405 | kill_all_hid_devices(dev); | ||
1406 | 1405 | ||
1406 | /* unregister all HID devices if USB is disconnected */ | ||
1407 | kill_all_hid_devices(dev); | ||
1407 | put_acc_dev(dev); | 1408 | put_acc_dev(dev); |
1408 | } | 1409 | } |
1409 | EXPORT_SYMBOL_GPL(acc_disconnect); | 1410 | EXPORT_SYMBOL_GPL(acc_disconnect); |